Jump to content
Macrura

Password Protect Page

Recommended Posts

I have a client who is a record label and they need to have some pages for promoting albums, where there can be a password they give to a reviewer, so the reviewer can go to the URL, type in the password, and be able to view the content (which will be streaming audio and downloads of the album in question).

i have found some simple ways online to do this with PHp, but i'm wondering if there is a better/simple way to interact with PW session to achieve this.

The client doesn't want to have to add roles/users or deal with permissions...they just want to have an input field where they can put in the password for that album...

TIA,

Marc

Share this post


Link to post
Share on other sites

All the reviewers will have the same password for each album? Or each reviewer will have it's own password?

Share this post


Link to post
Share on other sites

All the reviewers will have the same password for each album? Or each reviewer will have it's own password?

Good question - another one could be whether the password should be time limited? So it will work for 48 hours then become obsolete, for example.

Share this post


Link to post
Share on other sites

It would be 1 password to access the album, everyone with the password would be able to access it;

this will be on a non search indexed subdomain of their main site, the links only given to the various press/reviewers.

after the promo period, they would unpublish the page, and we would use the redirects module to send incoming requests to a contact page;

Share this post


Link to post
Share on other sites

Did I understood right?

1 Page with only a Password form?

According to the password the user will be redirected to the common album?

How secure has the login to be?

I think the fastest way to achieve your needs would be a template with a input field -> site Password and the main content.

In the Template file you could do something like this:

<?php
// check for login before outputting markup
if($input->post->pass) {

 $pass = $input->post->pass;
 if($pass == $page->password_field) {
		 // login successful
		 $session->redirect($page->url);
 } else {
		 $session->login_error = 'Please check your Password';
 }
} ?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Login</title>
</head>
<body>
<? if($input->post->pass) {
	 echo "<div class='error'>				
" . $session->login_error . "
		 </div>";
	 }?>		
<form method="post" action="./" accept-charset="UTF-8">

<input type="password" id="pass" name="pass" placeholder="Password" required />
	 <button type="submit" name="submit" class="btn btn-success btn-block">Login</button>
</form>

</body>
</html>
<?
die(); // don't go any further if not logged in
} // end !logged in
?>

Share this post


Link to post
Share on other sites

Thanks Luis, I really appreciate your post - this looks like a very simple/elegant way to do this - i'll report back as soon as i have a chance to integrate this.

-marc

Share this post


Link to post
Share on other sites

Hi Luis,

I've almost got this working, the main issue now is that the code seems to loop, and also i was getting an error because of the unmatched brace on the } "// end !logged in" line... maybe that's why this is not working?

so after you click the login button, you keep getting back to the login page, i guess because since it is all on the same template?

I tried an alternate idea of having only the login code on the template and then including the markup code for the page, contingent on being logged in, which works;

but i'm not sure this is necessary - and with this method i can't figure out how to throw the wrong password error...

thanks again for your advice and the code!

-marc

Share this post


Link to post
Share on other sites

Hey Marc,

How did you implemented the code?

Sorry for the error, I didn´t tested the code just copy and pasted the snippet and edited it in the browser.

Well my thoughts where the following:

New Page called Albums. -> Status Hidden to exclude from search and nav.

Children of Albums are the Password protected pages.

New Template called Album. -> works as template for these children.

Album template contains the following fields:

password

body

images

the template file should look something like this:

<- Password / login code ->

<- normal page code like head, foot and your assigned fields ->

So you create a new child and enter your wished password in the assigned password field.

After entering the password you should have access to the page.

Share this post


Link to post
Share on other sites

Hi Luis,

this is my temporary solution - it works for now, but i'm thinking i should do this with a session variable so that if the user refreshes the page or navigates away, and comes back, they don't have to re-enter the password; Also i need to provide an error message... thanks again for your help; I'll see if i can improve my knowledge/use of the api with respect to $input and $session...

<?php
if($page->album_password) {

   $pass = $page->album_password;    
   if($input->post->pass != $pass) { ?>

   <!DOCTYPE html>
   <html>
   <head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Login to view <?php echo $page->album_title ?></title>
   </head>
   <body>

       <form method="post" action="./" accept-charset="UTF-8">
           <input type="password" id="pass" name="pass" placeholder="" />
           <button type="submit" name="submit" class="btn btn-success btn-block">Login</button>
       </form>

   </body>
   </html>

   <? } else {
   include("./inc/album.inc");
   }

   } else {
   include("./inc/album.inc");
   }
?>

Share this post


Link to post
Share on other sites

Should be fairly easy to add session support.

if($input->post->pass) $session->pass = $input->post->pass; 
if($page->album_password && $session->pass !== $page->album_password) {
 $page->body = $input->post->pass ? '<h3>Invalid Password</h3>' : '';
 $page->body .= file_get_contents("./inc/login-form.inc"); 
 include("./basic-page.php"); 
} else {
 include("./album.inc"); 
}
  • Like 2

Share this post


Link to post
Share on other sites

im also implementing pages protected only by a a password. The code here works, but like this the password isn't using any encryption. I tried to define the field as a password, and like this make it encrypted. But i dont know how to compare with the user input

i tried this, where password_salt is a password field for this page:

// this works: i got the input from the form password field
$pw2= $input->pass;
echo "<br />bd: " . $pw2;

// here i got the: Error: Exception: Method Password::match does not exist or is not callable in this context 
$pw3= $page->password_salt->match($pw2);
echo "<br />password_salt: " . $pw3;

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By theoretic
      Hi there! And thanks for Processwire!
      I've got an interesting case concerning access to current user page. It appears that PW somehow limits access to the frontend page of current user.
      I'm speaking about a specific PW configuration. We have two kind of users: 'regular' users with native user template and member users with specific member template and specific members parent page (by the way, it's so cool that PW allows to use custom user templates and custom parent for certain user pages!). So a member with name Joe has a page with member template and url like /members/joe .
      The members template has some access limitations: only member users can see pages with member template. It works like a charm in most situations. For example, user Bill (who has member template and is logged in) can browse a page with url /members/ann which also is a member page with member template.
      And now, meet the glitch! The above-mentioned Bill cannot get to his own page /members/bill ! PW generates 404 page instead.
      I see no reason for this behavior. From my point of view any member should have access to any member page in this situation. What am i doing wrong? Any advice is welcome!
    • By wwwouter
      Some context: I want to use PHP variables in my CSS (more info below) and found a solution on CSS-tricks that looks fairly elegant and somewhat solid to me. It's pretty simple, I created a file style.css.php inside the site/templates/ directory and load that in my page head. In style.css.php is the following:
      <?php header("Content-type: text/css; charset: UTF-8"); header("Charset:utf-8"); if ($homepage->hero_image) { echo <<<CSS .hero { background: url($homepage->hero_image->url) no-repeat; } CSS; } ?> Because of the following RewriteCond (line 373) in the htaccess file the server sends a 403 error back when the file is requested:
      # Block access to any PHP or markup files in /site/templates/ or /site-*/templates/ RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))($|/) [NC,OR] (My htaccess file is @version 3.0 and @htaccessVersion 301)
      This is how I thought I could fix that (based on these answers on stack overflow) but it does not work:
      # Block access to any PHP or markup files in /site/templates/ or /site-*/templates/ RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/templates($|/|/((?!style\.css).)*\.(php|html?|tpl|inc))($|/) [NC,OR] I tested the rule with htacess tester and htaccess check and both worked for me, but on my site I still get a 403 instead of the file.
      I'm working on localhost, using MAMP (not sure if that's relevant).
      A bit more about what I want to do achieve specifically:
      I want to use an image as a background-image for an element, not place it as an image. This image is provided by the user via a field and can therefore change.
      I know I can achieve this like this:
      echo "<section class='hero' style='background-image: url($page->hero_image->url)'></section>"; But I would prefer a method other than inlining because of scalability and cleanliness. (I admit the extra link in the page head is not ideal either)
       
      P.s. this is my first post here, I hope it's submitted in the right forum and my explanation is clear.
    • By Lewis Newson
      Hi All,
      Im working on streamlining my email sending setup for SMTP. I have a page where the user of the website can input the SMTP host, port, connection type email and password etc but the password field has an additional box underneath it for 'Confirming' it as if it were a new password. The placeholder text also says 'New Password' but I want to be able to change that. I just need an input field where they can enter their SMTP password without it being plain text.
      Thanks for your help!
    • By humanafterall
      Hi,
      I would like to set an admin template to 'https only' as recommended in the Processwire security docs.
      However if I do this it forces this setting locally too, resulting in https://localhost requests which result in an error page.
      Is there a simple way round this? Setting https for templates in the config?
      Thanks!
    • By nuel
      Dear PW Community
      Let me shout out my question here, I really don't know where to start and hope someone can give me a hint or tell me to resign and go home and cry.
      I want to create a subpage that is only accessible to people with unique access codes. It's gonna be an online concert streaming page (thanks Corona!). People who buy tickets through a local ticketing service should be able to access and stream the show with their individual access code. These codes should work only for this person and show. If someone in the «audience» closes and reopens the page, they should get in again, but not their friends who were given the code of course, basically just like in a club with a ticket and a stamp on the wrist.
      Now, is there a possibility to achieve that with more or less basic Processwire skills? In my imagination I have a field where I list the given access codes, another two to add start and ending date/time of the show, maybe one for a unique ID/title of the show.
      Is there an existing module for something like that? Should I get into the module development field and create that? How?? Haha. Any comments are welcome here.
      Thanks,
      Nuél
       
×
×
  • Create New...